A company is deploying an application on Amazon EC2 instances that writes to Amazon Elastic Block Store (Amazon EBS) volumes. The company must ensure all data written to the EBS volumes is encrypted at rest. Which solution meets this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Create the EBS volumes as encrypted volumes. Attach the EBS volumes to the EC2 instances..
Why this is the answer
To ensure data on EBS volumes is encrypted at rest, you must create the EBS volumes as encrypted volumes directly. When an encrypted EBS volume is attached to an EC2 instance, all data written to it is automatically encrypted using AWS Key Management Service (KMS) keys. Incorrect options: An IAM role specifies permissions for an entity, but it does not directly enforce or configure EBS encryption. EC2 instance tags are metadata for organization and automation; they do not control EBS encryption settings. While AWS KMS is used for EBS encryption, a KMS key policy alone does not enforce that all newly created EBS volumes must be encrypted. It defines who can use the key, not a default encryption setting for EBS. You can enforce default encryption for new EBS volumes in an AWS Region, but the most direct way to ensure an individual volume is encrypted is to create it as such.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed